Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
eventpoll: move f_lock acquisition into ep_remove_file()
Let the helper own its critical section end-to-end: take &file->f_lock
at the top, read file->f_ep inside the lock, release on exit. Callers
(ep_remove() and eventpoll_release_file()) no longer need to wrap the
call, and the function-comment lock-handoff contract is gone.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-7-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+4
-6
+4
-6
fs/eventpoll.c
+4
-6
fs/eventpoll.c
···
855
855
}
856
856
857
857
/*
858
-
* Called with &file->f_lock held,
859
-
* returns with it released
858
+
* Takes &file->f_lock; returns with it released.
860
859
*/
861
860
static void ep_remove_file(struct eventpoll *ep, struct epitem *epi,
862
861
struct file *file)
863
862
{
864
863
struct epitems_head *to_free = NULL;
865
-
struct hlist_head *head = file->f_ep;
864
+
struct hlist_head *head;
866
865
867
866
lockdep_assert_held(&ep->mtx);
868
-
lockdep_assert_held(&file->f_lock);
869
867
868
+
spin_lock(&file->f_lock);
869
+
head = file->f_ep;
870
870
if (hlist_is_singular_node(&epi->fllink, head)) {
871
871
/* See eventpoll_release() for details. */
872
872
WRITE_ONCE(file->f_ep, NULL);
···
931
931
if (!file)
932
932
return;
933
933
934
-
spin_lock(&file->f_lock);
935
934
ep_remove_file(ep, epi, file);
936
935
937
936
if (ep_remove_epi(ep, epi))
···
1149
1150
1150
1151
ep_unregister_pollwait(ep, epi);
1151
1152
1152
-
spin_lock(&file->f_lock);
1153
1153
ep_remove_file(ep, epi, file);
1154
1154
dispose = ep_remove_epi(ep, epi);
1155
1155